|
The SANS Network Security Digest - May 1997 - SECU
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
From: Alan Paller, SANS Institute
Your May SANS Network Security Digest is below.
If you would like to receive a French version, email us at [email protected]
with Subject "French". Jean Chouanard has graciously translated the May
Digest to French.
-----BEGIN PGP SIGNED MESSAGE-----
-----------------------------------------------------------------
| @@@@ @@ @ @ @@@@ |
| @ @ @ @@ @ @ |
| @@@@ @ @ @ @ @ @@@@ Vol. 1, No. 4 |
| @ @@@@@@ @ @ @ @ May 5, 1997 |
| @ @ @ @ @ @@ @ @ |
| @@@@ @ @ @ @ @@@@ |
| The SANS Network Security Digest |
| Editor: Michele Crabb |
| Contributing Editors: |
| Matt Bishop, Gene Spafford, Steve Bellovin, Gene Schultz |
| Rob Kolstad, Marcus Ranum, Dorothy Denning, Dan Geer |
| Peter Neumann, Peter Galvin, David Harley, Jean Chouanard |
----A Resource for Computer and Network Security Professionals---
CONTENTS:
1) SECURITY FLAW IN CELLPHONE ENCRYPTION ROUTINE
2) AOL4FREE -- HOAX, TROJAN OR BOTH?
3) FIVE MORE NT BUGS REPORTED
4) TWO NEW PROBLEMS REPORTED IN FREEBSD
5) OLD BIND PROBLEMS RESURFACE AGAIN
6) NEW VULNERABILITY IN INN DISCOVERED
7) VULNERABILITY IN IMAP
8) QUICK SUMMARIES
9) NORTON UTILITIES + INTERNET EXPLORER -> DANGEROUS
10) WAR OF THE ANTI-VIRUS VENDORS
11) NETWORK SECURITY CHALLENGES AND CALL
- -----------------------------------------------------------------
- -----------------------------------------------------------------
1) SECURITY FLAW IN CELLPHONE ENCRYPTION ROUTINE (3/19)
Bruce Schneier, Robert Sanders, David Wagner and Lori Sinton
discovered a flaw in the Telecommunications Industry Association
algorithm for digital telephones. The algorithm protects the
privacy of digital cellular phone calls, including information
dialed on the keypad such as PIN and credit card numbers. According
to Bruce Schneier, founder of Counterpane Systems and a cryptography
expert, the attack, which requires 512 chosen plaintexts or 40-80
known plaintexts, can be carried out in a few minutes. For more
information, refer to <http://www.counterpane.com/cmea.html>
- -----------------------------------------------------------------
- -----------------------------------------------------------------
2) AOL4FREE.COM -- HOAX, TROJAN or BOTH? (4/16)
A recent "virus alert" claims that mail with the subject heading
"AOL4FREE.COM" trashes computers as soon as it is read. This is
a hoax, of course. However, a Trojan program has been distributed
as an attachment to a message under the same name. When run, it
attempts to delete files on PC hard drives.
Further information at:
<http://ciac.llnl.gov/ciac/bulletins/h-47a.shtml>
<http://www.virusbtn.com/aol4free.html>
Short paper on dealing with Internet hoaxes available at:
<http://webworlds.co.uk/dharley/anti-virus/hoaxes.txt>
- -----------------------------------------------------------------
- -----------------------------------------------------------------
3) FIVE MORE NT BUGS REPORTED
Now that NT is hitting the mainstream, more and more security bugs
are being reported. In the last month there were at least five
reports of major security problems. This is probably just the tip
of the iceberg. If you are questioning whether NT is ready for
prime time use in your organization, see <http://www.dlxguard.com>
for a relevant discussion.
A) NT Authentication Bug
Internet explorer on Microsoft NT will attempt to authenticate,
transparently, using a function of your NT password, to any web
server that asks. The client has no way of knowing whether the
authentication took place. A side effect: a user can pre-compute
a very large database of passwords and instantly detect whether
one of these passwords was used. For more information see:
<http://www.efsl.com/security/ntie/>
-----------------------
B) Two New NT Password Crackers (4/11)
Version 2 of NTCrack, a program designed to crack Windows NT
Passwords off-line, has just been released. The program requires
the PWDUMP program which was released on 3/11. For more information
see: <http://www.secnet.com/ntinfo/ntcrack.html>
Alec Muffett's Crack 5.0 also works on NT passwords.
<http://www.sun.rhbnc.ac.uk/~phac107/c50a-nt-0.10.tgz>
L0phtcrack Rev 1.0, also released last month, recovers the LANMAN
and/or NT Dialect MD4 plaintext password from output derived from
the SAM registry. For more information:
<http://www.l0pht.com/advisories.html>
Also see the EET article at:
<http://www.techweb.com/wire/news/apr/0416hack.html>
Additional information at:
<http://www.osp.nl/infobase/ntpass.html>
-----------------------
C) Built-in Back Door in NT (4/19)
NT has a built-in user called "anonymous" used for machine to
machine communication. Many people assumed that this user did
not have access to any system resources. However analysts have
recently discovered that the anonymous user can access NT
resources on a machine which has NetBIOS bound to the network.
A user exploiting the bug may gain unauthorized access to any
files or resources which are made available to the 'everyone'
group. More information at: <http://www.iss.net/>
-----------------------
D) Windows NT SAM Vulnerability (4/9)
Windows NT default file permissions on some Registry files and
Administrator account rights create a vulnerability which may
allow remote users to gain Administrator privileges. All
versions up through NT 4.0 are vulnerable.
-----------------------
E) NT Redbutton Bug
This security problem affects the majority of NT based networks.
It allows users of both NT 4.0 and 3.51 (WS or server) to copy the
passwd file. On NT 4.0 it also allows users to modify the registry
to create a reference to a Trojan horse program located on the
intruder's computer. At the next login, this program will be
executed under the user identity. More details see:
<http://www.NTsecurity.com/RedButton/>
- -----------------------------------------------------------------
- -----------------------------------------------------------------
4) TWO NEW PROBLEMS REPORTED IN FREEBSD
A) Security vulnerability in sysinstall (4/7). The sysinstall program,
under some circumstances, will install an 'ftp' user on the system
with an empty password and a shell of '/bin/date'. The presence of
this account could lead to unauthorized access of the system and/or
files contained on the system. This bug affects versions
FreeBSD 2.1, 2.1.5, 2.1.6, 2.1.7, 2.2 and 2.2.1. For more
information refer to the FreeBSD website at:
<http://www.freebsd.org/>
-----------------------
B) Buffer Overflow in FreeBSD tgoto Library Function (3/13)
A buffer overflow problem was discovered in the tgoto library
function of FreeBSD. The overflow results in overwriting
the bss segment. The problem has been corrected in the latest
versions (FreeBSD - RELENG_2_1_0, RELENG_2_2, and HEAD).
- -----------------------------------------------------------------
- -----------------------------------------------------------------
5) OLD BIND PROBLEMS RESURFACE AGAIN (4/22)
The BIND nameserver is known to have several weaknesses, some of
which were identified as long ago as 1990 but were not fixed in
production versions of the code. Recently, SNI brought these problems
to the fore (again) with their publication of an advisory about their
"discovery" of these flaws. The first of which allows, under
certain conditions, an attacker to corrupt a remote cache. The
second one is a failure to check whether hostname length exceed
MAXHOSTNAMELEN in size (causing potential buffer overflows in
client program). An exploit script for these vulnerabilities is
known to be available on the Internet.
A complete description is available at:
<http://www.secnet.com/nav1.html>
- -----------------------------------------------------------------
- -----------------------------------------------------------------
6) NEW VULNERABILITY IN INN DISCOVERED (3/18)
CERT posted a bulletin describing a new vulnerability in INN
versions prior to 1.5.1 which, according to CERT, is actively
being exploited. The vulnerability allows remote users to execute
arbitrary commands on the local news server as the same UID that
INN is run under. The problem has been corrected in version 1.5.1.
More information:
<ftp://info.cert.org/pub/cert_advisories/CA-97.08.innd>
Information on available INN patches:
<http://www.isc.org/inn.html>
- -----------------------------------------------------------------
- -----------------------------------------------------------------
7) VULNERABILITY IN IMAP (4/7)
A vulnerability involving the method of handling login
transactions has been discovered in IMAP and in some POP
implementations. The vulnerability can be exploited to gain
root access to the IMAP/POP server. Patches are available from
various vendors and the latest version of IMAP has corrected the
problem. The new version can be found at:
<ftp://ftp.cac.washington.edu/mail/imap.tar.Z>
People are actively exploiting this vulnerability. For more
information refer to the Secure Networks bulletin at:
<ftp://ftp.secnet.com/pub/advisories/>
<ftp://info.cert.org/pub/cert_advisories/CA-97.09.imap_pop>
- -----------------------------------------------------------------
- -----------------------------------------------------------------
8) QUICK SUMMARIES
A) Solaris fdformat Bug (3/24) - Solaris (2.4, 2.5.1) buffer
overflow in /bin/fdformat . By exploiting fdformat with suid-exec
bit on, anyone can gain root access. For more information refer
to the AUSCERT Advisory AA-97-11 at:
<http://www.auscert.org.au/information/advisories/aus_1997.html>
-----------------------
B) SOLARIS /bin/eject (3/14) - A buffer overflow vulnerability,
which allows users to gain root access, exists in /bin/eject under
Solaris 2.4, 2.5 and 2.5.1. Earlier versions may be vulnerable
as well. More information: AUSCERT Advisory AA-97-10 at:
<http:/www.auscert.org.au/information/advisories/aus_1997.html>
-----------------------
C) Solaris security patch out for buffer overrun in the passwd
command in Solaris versions 2.5.1 and 2.5. This problem was
reported in the March issue of the SANS Digest. To receive the
patch information send email to [email protected] with
subject of "SEND #139".
Patches are available on <http://sunsolve.sun.com>.
-----------------------
D) New security contact at Sun. Mark Graff has been promoted to a
new position at Sun and will no longer be the author of the Sun
Security Bulletins. The new originating email address is
[email protected]. To report problems, still send email
to [email protected].
-----------------------
E) Update on PHP/FI Script (4/16) - A vulnerability has been found
by DiS in PHP/FI, a NCSA httpd cgi enhancement. This vulnerability
allows unauthorized users to view arbitrary file contents on the
machine running httpd by sending the file name to be displayed
as the QUERY_STRING. For more information visit:
<http://www.vex.net/php>
-----------------------
F) Problem with AIX NLS (3/23) - Buffer overflows in NLS
environment variables affect such programs as /bin/host
and /usr/sbin/mount. IBM AIX® 3.2.x, 4.1.x, 4.2.x. Result:
unprivileged users may gain root access.
Patches: AIX 4.2: APAR IX67377
AIX 4.1: APAR IX67407
AIX 3.2: APAR IX67405
More information at:
<ftp://testcase.software.ibm.com/aix/fromibm/README.NLS_security_fix>
-----------------------
G) HP ppl command (4/22) - Vulnerability could allow local users
to gain root privileges. Apply the patches:
PHNE_10290 for all platforms with HP-UX releases 9.X
PHNE_10363 for all platforms with HP-UX releases 10.01
PHNE_10364 for all platforms with HP-UX releases 10.10
PHNE_10365 for all platforms with HP-UX releases 10.20
For more information, refer to the web page at:
<http://us.external.hp.com>
-----------------------
H) IRIX gmemusage program - A security vulnerability has been found
with the gmemusage program distributed in the DeveloperToolbox
versions 6.0 (based on IRIX 5.3), 6.1 (based on IRIX 6.2), and as
part of the eoe.sw.perf subsystem for IRIX 6.1 through 6.4. For more
details, see the web page at:
<http://www.sgi.com/Support/Secur/security.html>
-----------------------
I) ipfilter for FreeBSD - ipfilter, a popular host-based filtering
utility is now available for FreeBSD2.2/3.0-current. The FreeBSD
specific version can be found at the following two ftp sites:
<ftp://suburbia.net/pub/proff/ipfilter-proff-final2.shar.gz>
<ftp://ftp.freebsd.org/pub/FreeBSD/incoming/ipfilter-proff-final2.shar.gz>
The original distribution site for ipfilter is:
<http://cheops.anu.edu.au/~avalon/>
-----------------------
J) Interesting website for "PC Bugs, Glitches, Incompatibilities...
and their Fixes". If you are looking for the latest scoop on PC
related security problems, check out <http://bugnet.com>. They
have a lot of interesting PC related security information.
-----------------------
K) Phrack Volume 50 (4/16) - Phrack Volume 50 published an article
on article on SNMPv1 vulnerabilities . Find the article at:
<http://www.fc.net:80/phrack/>
- -----------------------------------------------------------------
- -----------------------------------------------------------------
9) NORTON UTILITIES + INTERNET EXPLORER -> DANGEROUS(4/8)
Some/many security experts believe that the security model underlying
Microsoft's ActiveX is flawed and dangerous, and that problems will
result as it gains more widespread use. One such problem was recently
brought to public attention involving Symmantec's Norton Utilities.
The flaw can leave personal computer users vulnerable to outside attack
if they use Norton Utilities 2.0 for Windows95 and get on the World Wide
Web through Microsoft's Internet Explorer. The problem specifically
involves the TUNEOCX.OCX component of NU System Genie. This component
is marked as a script file which allows ActiveX-aware WWW scripts to
make use of this ActiveX control. The result is that a malicious user
could use the script to run any command, such as delete, format or ftp,
on the local host. More information at: <http://www.symantec.com/>.
- -----------------------------------------------------------------
- -----------------------------------------------------------------
10) WAR OF THE ANTI-VIRUS VENDORS
McAfee has accused Dr. Solomon's of "fixing" the latter's on-demand
scanner to detect more viruses under poorly-designed comparative
tests. In fact, reviews of anti-virus software by non-specialist
journalists and magazines are rarely as useful as those published
in the "Virus Bulletin" located at: <http://www.virusbtn.com/>
Vendor Discussions can be found at:
<http://www.drsolomon.com/> and <http://www.mcafee.com/>
- -----------------------------------------------------------------
- -----------------------------------------------------------------
11) NETWORK SECURITY CHALLENGES AND '97 CALL FOR CASE STUDIES
The Network Security'97 (New Orleans. October 19-24, 1997) planning
Committee has identified thirty-eight challenges facing security
professionals. The challenges can be found at <http://www.sans.org>.
If you have discovered or developed solutions for any of them, we
hope you will submit a proposal for a presentation. You don't have
to write a paper; just make slides and notes and present your solution.
Email [email protected] with a three or four paragraph summary of the
Solution and how you know it works. We'll get back to you if we
have questions and the selections will be announced in June.
Presenting a solution is one of the few sure ways of attending
Network Security'97, as only about 500 places will be available and
more than 1,180 people attended the last SANS conference. This year,
Network Security'97 has new courses on Windows/NT and UNIX Security,
on Auditing, on Remote Access and more. If you are not going to
submit a solution and do want to attend, please reply quickly when
the electronic conference announcement reaches you in about four to
six weeks.
===============================
-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
iQCVAwUBM29WvKNx5suARNUhAQHAqgP/ZqxxLIe6DPvTO3x/eiXPd5vI0XjqhPiB
YMQMjQNmFfzB9bqJxq9TS1qKyALFoeasd79mkz9OhVDhOUTPZIc6kMwmdW1tTfMx
/oSgLHie9dW2HfA4rwu7KBHcCf27Rats+j63++12hzIXitFuNDyGQyc6RfzBae38
OwrI1ZAzTeY=
=5gOU
-----END PGP SIGNATURE-----
|
|
